Cross-forest or cross-domain migration is a process of migrating Exchange mailboxes and other objects from one Active Directory forest to another. A cross-forest migration is required when there is a new MS Exchange deployment with a new domain name. The organizations need to perform a cross-forest migration in case of company mergers, acquisitions, name change, or segmentation of the IT environment due to security reasons.
Cross-forest migration is a tedious, complex, and time-consuming task. It requires expertise and technical knowledge to perform the migration. In this post, we will be explaining the stepwise procedure of cross-forest migration from Exchange to Exchange, Exchange to Office 365, and Office 365 to Office 365.
Exchange to Exchange cross-forest migration is the process of moving mailboxes from one Active Directory forest to another. This migration requires careful planning as it involves transferring the user mailboxes, permissions, and configurations while ensuring minimal disruption. Here’s the process to perform the Exchange to Exchange cross-forest migration.
Note: Here, we will be taking Domain A as the old domain and Domain B as the new domain.
Step 1: Set up the New Exchange Server on Target Domain
First, you need to set up the new Exchange Server on the target domain. For this,
- Install and configure Exchange Server on target domain and ensure that all prerequisites (like OS, .NET, UCMA, C++ redistributables) are installed.
- Configure Exchange roles (Mailbox and Client Access—combined in 2019).
- Assign a valid SSL certificate and configure Autodiscover, EWS, and Outlook Anywhere.
- Test server health using tools, like Get-ServerHealth.
Step 2: Configure the Destination to Receive Emails for Domains Hosted in Domain A
Next, you need to add the accepted domains and email address policies. Here’s how:
- Add the accepted domains from Domain A to Domain B’s Exchange by using the below command:
New-AcceptedDomain -Name "DomainA.com" -DomainName domaina.com -DomainType Authoritative
- Update Email Address Policies to include addresses from Domain A, if needed.
Step 3: Configure the New Exchange Server to Act as a Remote Domain Connector for Domain A
For this, do the following:
- Create a Send Connector on Exchange Server (Domain B) targeting Domain A by using the New-SendConnector command (see the below example):
New-SendConnector -Name "To-DomainA" -AddressSpaces "domaina.com" -SmartHosts "<DomainA Mail Server>" -SmartHostAuthMechanism None -UseExternalDNSServersEnabled $false -SourceTransportServers "Exchange2019B"
- Ensure that network connectivity and firewall rules allow SMTP between both forests.
Step 4: Configure the Old Exchange Server to Forward all Inbound and Outbound Emails to New Exchange Server
You need to configure the Old Exchange Server (Domain A) to forward all inbound and outbound emails to new Exchange Server (Domain B). For this,
- In Domain A, create a Send Connector for Domain B by using the following command:
New-SendConnector -Name "To-DomainB" -AddressSpaces "domainb.com" -SmartHosts "<Exchange2019B IP/hostname>" -SmartHostAuthMechanism None -UseExternalDNSServersEnabled $false -SourceTransportServers "Exchange2013A"
- Configure a mail flow rule to redirect/route all outbound emails to Domain B for testing (optional).
Step 5: Create New Mailbox Databases on the New Exchange Server
Now, you need to create mailbox databases on the new Exchange Server. For this, use the following command on the target Exchange Server:
New-MailboxDatabase -Name "DB1" -EdbFilePath "D:\ExchangeDatabases\DB1\DB1.edb" -LogFolderPath "D:\ExchangeLogs\DB1"
Then, run the following command to mount the database:
Mount-Database DB1
Step 6: Migrate the Mailboxes to New Exchange Server
Here are the steps you need to follow to migrate mailboxes to the new Exchange Server:
- Log in to EAC, navigate to servers > virtual directories, then select the EWS, click on the Edit icon and enable MRS proxy for EWS.
- Navigate to recipients > migration, click on more options, and select Create New Migration end point. Configure the settings and create a new migration endpoint.
- Navigate to recipients > migration and click on the + icon to create a new migration request.
- Select the mailboxes that you want to migrate or upload a CSV file containing the list of mailboxes. Click on Next.
- Confirm the migration endpoint that you created above.
- Enter the batch name and the domain of target Exchange Server account. Click on Next.
- This will start the migration process.
- Once the process is completed, you can check the mailboxes on the target Exchange Server.
Exchange to Office 365 migration is the process of moving mailboxes, contacts, calendars, and other data from an on-premises Exchange Server to Microsoft 365 (Office 365). Before you start the migration process, here are some prerequisites that you need to fulfil:
1. Assess and Plan
Assess the existing Exchange environment in Forest A and design the target architecture in Forest B. Additionally, you need to validate:
- DNS setup (Autodiscover, MX, SPF, etc.)
- Certificate configuration (trusted SSL certificates)
- Network/firewall rules for Exchange and AD connectivity
2. Prepare the New Forest (Forest B)
Configure Office 365 in Forest B, ensure that the Cumulative Updates (CU) are installed, and Exchange schema is extended in Forest B. Add accepted domains (from Forest A and Office 365) to Exchange in Forest B. Then, ensure that proper name resolution and trust exists between Forest A and Forest B (if you will be using staged or ADMT migration). Now, migrate user accounts, groups, and SIDs from Forest A to Forest B. For this, use ADMT (Active Directory Migration Tool).
3. Prepare Forest B for Hybrid Deployment
Now, prepare the Forest B for hybrid deployment. For this,
- Set up Azure AD Connect in Forest B to synchronize with Microsoft 365.
- Add all necessary domains (accepted domains) to Microsoft 365 account and verify ownership.
- Configure Autodiscover, MX records, and other necessary DNS records.
4. Establish Hybrid in Forest B
- Run the Hybrid Configuration Wizard (HCW) in Forest B to connect Exchange to the existing Microsoft 365 tenant. Choose Minimal Hybrid, if only planning to migrate mailboxes or Full Hybrid for long-term coexistence.
- Update necessary DNS records (Autodiscover, SPF, and MX) to point to Forest B or Microsoft 365.
After fulfilling the above prerequisites, you can use the methods given below to perform the Exchange to Office 365 cross forest migration.
Method 1: Use the Active Directory Migration Tool
You can use the Active Directory Migration Tool to perform cross-forest migration. This tool helps migrate objects and restructuring tasks in Active Directory Domain Service (AD DS) infrastructure. You can use the tool to migrate users and groups between AD DS domains in same forest or different forests.
To use this tool, you need to perform multiple manual steps, which may lead to errors causing extended downtime. This can significantly affect the business and impact users’ productivity.
Method 2: Use the PowerShell Cmdlets
You can migrate mailboxes from one forest to another using the New-MoveRequest b dv and the New-MigrationBatch commands. To run these commands, the user must exist in the target Exchange forest and have a minimum set of required Active Directory attributes. However, before you start the migration process, you need to prepare the target and destination servers.
For detailed process, read: Prepare mailboxes for cross-forest move requests in Exchange Server.
However, there are a few limitations of this method:
- It requires proper planning and technical expertise to perform this method.
- After migration, users might need to recreate Outlook profiles, leading to confusion or downtime.
- During migration, if DNS or MX records are not in sync with mailbox moves, users may face delays or loss in mail delivery.
- If there is no trust relationship, synchronizing user data requires additional tools (e.g. ADMT, PowerShell scripts, or third-party tools).
- Synchronizing key attributes, like ProxyAddresses, LegacyExchangeDN, and ExchangeGUID between forests is complex and error-prone, especially if forests do not have a trust relationship.
Office 365 to Office 365 migration requires careful planning to ensure data integrity, minimal downtime, and seamless user experience. So, you need to first prepare your target and destination Microsoft 365 accounts for migration. Here are some prerequisites you need to consider:
1. Purchase and Assign Licenses
You need to purchase Cross-Tenant User Data Migration licenses for each user to be migrated. The licenses must be assigned to either the source or the target mailbox. Migration will fail without valid licensing. You need to also define the scope of users via mail-enabled security groups in the source tenant.
2. Prepare the Target Tenant
Use the Microsoft Entra Admin Center. Register a multi-tenant application with redirect URI https://office.com. Record the Application (Client) ID and create a Client Secret.
Next, add Mailbox.Migration application permission for Office 365 Exchange Online, remove default User.Read permission, and Grant Admin Consent for your tenant.
Then, use the Exchange Online PowerShell to create a new MigrationEndpoint. Now, create or modify organization relationship (Target Tenant).
3. Prepare the Source Tenant
- Accept the Migration App Consent
- Use the admin consent URL shared by the target tenant.
- Confirm the application is visible under Enterprise Applications.
- Create or Modify Organization Relationship (Source Tenant)
- Use Exchange Online PowerShell and set:
- MailboxMoveCapability to RemoteOutbound
- Link to the correct App ID from target
- MailboxMovePublishedScopes to include your security group
4. Prepare Target User Objects
- Create MailUser objects in the target tenant for each user. Must have attributes like:
- ExternalEmailAddress (set to source tenant routing address)
- TargetAddress
- Appropriate proxy addresses
Once the above prerequisites are fulfilled, you can start the migration. You can move the mailboxes from the target tenant using migration batches. You can create migration batches using the New-MigrationBatch PowerShell cmdlet, and specifying a source endpoint, a CSV file containing target tenant email addresses, and a target delivery domain. The email addresses in the CSV must reflect the target tenant’s domain. Migration batches can also be initiated through the Exchange Admin Center.
After the mailboxes are moved, it is essential to update the MailUser objects in both source and target environments with the correct targetAddress, matching the target delivery domain. Once all migrations are finalized, you can clean up by removing migration endpoints and organization relationships using Remove-MigrationEndpoint and Remove-OrganizationRelationship cmdlets.
To see the detailed process, read: Cross-tenant mailbox migration
You can use Stellar Migrator for Exchange to perform cross-forest migration of mailboxes. This software is suitable for the following types of migration:
- Exchange to Exchange migration
- Exchange to Office 365 migration
- Office 365 to Exchange migration
- Office 365 to Office 365 migration
This software will directly access the mailboxes on the source server and migrate them to the target server with a different AD forest. To use the software, you need to form a connection between the target and destination server, map the mailboxes, and start the migration process.
To see the detailed steps, refer: How to use Stellar Migrator for Exchange.
Conclusion
In case of new MS Exchange deployment with a new domain name, you need to migrate the mailboxes from the current server to the new server in a different forest. For this, you can use ADMT and PowerShell cmdlets. However, to migrate mailboxes without any hassle, you can use Stellar Migrator for Exchange. The software can easily form a secure connection between the source Exchange Server and the target server, even if these are a part of different Active Directory forests. It can be used for migration between local Exchange servers and Microsoft 365 tenants. This software can also migrate mailboxes from local Exchange Server to Microsoft 365 and vice-versa.
